guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <vn...@apache.org>
Subject Re: Guacamole URL ReWrite
Date Thu, 14 Mar 2019 13:28:05 GMT
On Wed, Mar 13, 2019 at 3:46 PM sciUser <shulbert@securitycentric.net>
wrote:

> Hello,
>
> I am looking for documentation (Not extension) on rewriting the session url
> so that the token or username password are removed and a /mysubhere is
> placed.


Depending on what you're really trying to accomplish, the stock Guacamole
Client already does this.  If you use the client (without modifications),
you'll see that the web application that loads in your browser just has
/guacamole/#/ on it, and then /guacamole/#/client/<ENCODED DATA> when you
access a client, etc.  All of the calls that actually contain parameters
are done in the background, hidden from the user.  It isn't that you can't
see them at all - if you open the Developer Console and watch all of the
network traffic you will see them - but the user doesn't normally see them.

If you're trying to get rid of the ?token= piece entirely from all of the
REST API calls, this isn't possible without significant code modification -
the back-end Java application has to have some way of identifying the
client making the request, and that's currently implemented by a POST call
to /api/tokens with the username and password, and then subsequent calls
with the ?token= parameter on the REST API endpoints.  In order to
completely get rid of the ?token= on the REST API calls you would have to
completely rewrite both the front-end JavaScript and back-end Java code to
use something other than that token to identify the session (cookies,
perhaps).


>
> I would need to see code examples.
>

Depending on what you're trying to do (see above), the Guacamole Client
already behaves this way, by running a web application in the browser that
handles all of the API calls internally, hiding them from the user.


>
> Currently we get username password passed in for autologin but like to hide
> that.
>

As I have mentioned repeatedly, you do not have to do a GET call with
?username=username&password=password - you can POST to the /api/tokens
endpoint to obtain the token.  Thus, username and password will not be part
of any URLs.  You'll still have to deal with the token parameter
requirement, as noted above.

-Nick

Mime
View raw message